Educause Security Discussion mailing list archives
Re: [EXTERNAL] [SECURITY] FIDO2 keys and MFA
From: "Telfer, Will" <Will_Telfer () BAYLOR EDU>
Date: Tue, 12 May 2020 16:52:29 +0000
At Baylor University we also elected to go with Duo, but we did trial Microsoft Authenticator for some email accounts to see how it functioned (at the time we elected to integrate Office 365 with Duo so that users did not have to learn a new MFA system). When we first instituted Duo, we provided Duo Hardware Tokens to the less than 10 Faculty & Staff that did not have a mobile device. Currently, our campus bookstore offers them for sale & we only provide them in emergencies (usually the Help Desk assigns a Bypass Code unless there is some long term circumstance requiring a permanent token). In those instances I recommend a U2F device first as they are a bit cheaper than the Duo Hardware Tokens. Since we allow phone call, as well as SMS passcode authentication, we have not had too many issues with folks being able to use Duo to log into our 60+ services (including Office 365, which includes email). Thank You, Will Telfer, M.S. Information Security Analyst Information Technology Services Follow BaylorITS & look for the #BearAware: Twitter: @BaylorITS Facebook: facebook.com/BaylorITS Website: baylor.edu/BearAware [BU_e-signature] From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Ravi Kotecha Sent: Tuesday, May 12, 2020 9:20 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] [EXTERNAL] [SECURITY] FIDO2 keys and MFA [EXTERNAL MESSAGE] Hi Beth, At Brandeis, we are using DUO and chose to offer hardware tokens that generate a one-time passcode instead of the YubiKey option. The hardware tokens cost about $20 each and we have decided it's a cost of doing business and any faculty, staff, or student can request one, at no cost to them. It is not widely advertised, but offered if someone expresses concern over the other 2fa options. The YubiKeys are great for USB capable devices, but since many users use mobile devices, the tokens were a better option for us. One reason we made the tokens available to anyone who asked was so that it was not a symbol of being low income. It also takes care of study abroad situations, and we did mail out tokens in those cases but since students were on campus when we enabled 2fa, the mailing situations were few and far between. Best, Ravi -- Ravi Kotecha '10, M.S. '14, M.S. '20 Privacy & Information Security Analyst Information Technology Services x67284 | security () brandeis edu<mailto:security () brandeis edu> [A button with "Hear my name" text for name playback in email signature]<https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.name-coach.com%2Fravi-kotecha&data=01%7C01%7CWill_Telfer%40BAYLOR.EDU%7C8c9af78d697f4c5f001108d7f680fde5%7C22d2fb35256a459bbcf4dc23d42dc0a4%7C0&sdata=IkngwOuqlduKWNOWtTpbtgTspRdvK%2BV1MxAHkbLXE2U%3D&reserved=0> On Mon, May 11, 2020 at 9:02 PM Beth Albertson <albertb3 () wwu edu<mailto:albertb3 () wwu edu>> wrote: We are in the process of implementing Azure MFA for our staff and students. We have a small percentage of students without smart phones, and would like to offer them the option of using a FIDO2 key. I was wondering if other Universities are using FIDO2 keys, and if so, who is picking up the cost? Are students expected to buy their own device? Also, we, like most Universities are all online during the Covid crisis, so it seems we would have to mail the FIDO2 keys to users if we pick up the cost. Thank you in advance for any information you can provide. Sincerely, Beth Albertson, CISSPĀ®, PMPĀ® Director of Information Security Western Washington University beth.albertson () wwu edu<mailto:beth.albertson () wwu edu> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.com%2Fv3%2F__https%3A%2F%2Fwww.educause.edu%2Fcommunity__%3B!!DaRZpAeNFA!M4vdDdcgk_1fNNyZV2ZCY-mUPsv4g0OidyLbira4z8z7UaPkO55iBpjfCs8NeaOfBnk%24&data=01%7C01%7CWill_Telfer%40BAYLOR.EDU%7C8c9af78d697f4c5f001108d7f680fde5%7C22d2fb35256a459bbcf4dc23d42dc0a4%7C0&sdata=Xrdu7aL90OkEaFXCS91fSqowWuIdK96X5qQLv0qDzSs%3D&reserved=0> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=01%7C01%7CWill_Telfer%40BAYLOR.EDU%7C8c9af78d697f4c5f001108d7f680fde5%7C22d2fb35256a459bbcf4dc23d42dc0a4%7C0&sdata=rdLfFXIGqqO%2FsSq1SNby5EtzMUhZuZK7R2OIzeKq%2FUM%3D&reserved=0> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community
Current thread:
- FIDO2 keys and MFA Beth Albertson (May 11)
- Re: [EXTERNAL] [SECURITY] FIDO2 keys and MFA Ravi Kotecha (May 12)
- Re: [EXTERNAL] [SECURITY] FIDO2 keys and MFA Tomassetti, Tina (May 12)
- Re: [EXTERNAL] [SECURITY] FIDO2 keys and MFA Telfer, Will (May 12)
- Re: [EXTERNAL] [SECURITY] FIDO2 keys and MFA Garrett McManaway (May 12)
- Re: [EXTERNAL] [SECURITY] FIDO2 keys and MFA Beth Albertson (May 12)
- Re: [EXTERNAL] [SECURITY] FIDO2 keys and MFA Sabo, Eric (May 18)
- Re: [EXTERNAL] [SECURITY] FIDO2 keys and MFA Tim Cappalli (May 18)
- Re: [EXTERNAL] [SECURITY] FIDO2 keys and MFA Ravi Kotecha (May 12)